Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (38 page)

“As we don’t really have experience with this sort of incidents yet [
sic
], we are uncertain about the next steps that we should make,” they wrote. “We are ready to collaborate with others, including you, by providing access to the malware and participating in its further analysis.”

Chien forwarded the e-mail to the rest of the incident-response team at Symantec and sent a text message to O’Murchu telling him to read it as soon as he woke up. Then he headed to the office feeling cautiously excited.

Over the past year, Chien had grown wary of people contacting him with false alarms about new Stuxnet sightings. Working for an antivirus firm, he was already used to friends and neighbors appealing to his expertise whenever they thought their computers were infected with a virus. But after his team’s work on Stuxnet got widely publicized, random strangers began contacting him too, insisting that the government was spying on them with Stuxnet. One guy even sent an envelope stuffed with fifty pages of printed-out screenshots and network traffic logs that he’d highlighted in yellow. On one, he’d circled the URL of a website he’d visited that contained the letters “en/us”—proof that the US government was watching his computer, he said.
⁶
Another correspondent, a female cookbook author,
sent Chien a few e-mails via Hushmail—an anonymous encrypted e-mail service used by activists and criminals to hide their identity. When Chien ignored the e-mails, she tracked down his phone number and left a message. She, too, was certain someone was spying on her with Stuxnet, she said, because every time she went to the library and inserted a USB flash drive into a computer there, her home computer later got infected with a virus from the same USB flash drive.

Despite Chien’s cynicism about every new Stuxnet claim that crossed his desk, he only had to read the first two pages of the report from Hungary before he knew that this one was different. “This is Stuxnet,” he said with certainty.

Despite their lack of experience analyzing malicious code, the Hungarians had produced an impressive report, although they apologized that “many questions and issues remain unanswered or unaddressed.” They had included snippets of decompiled code showing Duqu’s likeness to Stuxnet and produced a side-by-side checklist highlighting more than a dozen ways the two attacks were the same or similar. There was no attack against PLCs in this code—in fact, there was no real payload at all, unless you considered the keylogger a payload. But the fingerprints of Stuxnet’s creators were all over it. Duqu was either written by the same team that was behind Stuxnet or, at the very least, by people with access to the same source code and tools.

Chien e-mailed Bencsáth to let him know they’d received the report, then waited anxiously for O’Murchu to arrive, feeling a mix of emotions. They had long hoped that they or someone else would uncover additional clues to help them resolve their remaining questions about Stuxnet. And Duqu looked like it might provide some of the answers they were seeking. But their analysis of Stuxnet had required months of work, including nights and weekends, and he feared the new code might exact the same amount of time and energy.

O’MURCHU WAS STILL
half-asleep when he saw Chien’s text message that morning, but his grogginess quickly dispersed when he opened the attachment and read the report. There was nothing like staring down the barrel of a suspected cyberweapon to clear the fog in your mind. “I’ve got to get to the office,” he told his girlfriend as he threw on some clothes and dashed out the door.

As he drove to work, he tried to wrap his mind around what he’d just seen and couldn’t believe the Stuxnet gang was still active. After all the media attention and finger pointing at Israel and the United States, he thought for sure the attackers would have laid low for a while to let things cool off. At the very least he thought they would have altered their methods and code a little to make sure that any attack they unleashed hereafter couldn’t be traced back to them if found. But judging by the report from Hungary, it appeared they hadn’t bothered to alter their signature moves at all. They really had balls, he thought. They were determined to do whatever they had to do and didn’t care who knew it was them. Either that, or they were already so invested in using the Duqu code that they were loath to replace it even after Stuxnet had been caught.

When O’Murchu got to the office, Chien and their colleagues were already buzzing about the new attack. They contacted Falliere, who had by now relocated from Paris to the States and was now working out of Symantec’s office in Northern California. They downloaded the binary files for Duqu that the Hungarians had sent and worked on the code throughout the day and the weekend. They were happy to discover that Duqu was much smaller than Stuxnet had been and consisted of just a few files that were fairly easy to decipher. By Monday, they knew pretty much everything there was to know about the code.

Duqu was essentially a remote-access Trojan, or RAT, which operated as a simple back door to give the attackers a persistent foothold on infected machines. Once the back door was installed, however, Duqu contacted a command-and-control server, from which the attackers could download additional modules to give their attack code more functionality, such as
the keystroke logger/infostealer the Hungarians had found on one of their systems.

As for Duqu’s intent, it was pretty clear it wasn’t a saboteur like Stuxnet, but an espionage tool. Whereas Stuxnet was a black ops mission bent on destruction, Duqu appeared to be the forward scout, sent out to collect intelligence for future assaults. Symantec suspected it was the precursor to another Stuxnet-like attack. Duqu’s life-span was limited, however; a kill date in the code forced it to self-destruct after thirty-six days, deleting all traces of itself from an infected machine.
⁷

All of this seemed fairly straightforward, but as they examined Duqu’s files, they stumbled across a surprise that seemed to connect it to another mystery attack that had been puzzling them for months. Six months earlier, officials in Iran had announced that computers there had been struck by a second digital attack in the wake of Stuxnet. The announcement came months after Iranian officials had finally acknowledged that computers controlling centrifuges in Iran had been attacked. Although the Iranians had never identified the specific virus that struck the centrifuges, they gave this new attack the name “Stars.” Gholam-Reza Jalali, commander of Iran’s Civil Defense Organization, didn’t say why they called it Stars, nor did he provide much information about the attack other than to say it was aimed at stealing data. He also said it was likely “to be mistaken [on computers] for executable files of the government,” suggesting the malware may have arrived in a phishing attack, with a malicious file attached that masqueraded as a document from a government source.
⁸

Symantec and other security researchers didn’t know what to make of the report at the time, since Iran didn’t release any samples of the malware for outside researchers to examine. The fact that no one else in the world
had reported infections from “Stars” led some researchers to dismiss the report, believing that Iran had either fabricated the story to accuse the West of launching more cyberattacks or had simply mistaken a run-of-the-mill virus with a nation-state attack.

But something they found in Duqu suggested it might be Stars. When Duqu’s attackers sent their keylogger to infected machines, they embedded it in a .JPEG file—an ordinary image file—to slip it through firewalls unnoticed. The content of most of the image in that file had been deleted so the keylogger code could be tucked inside. As a result, only an inch or so of the image appeared on-screen when O’Murchu opened the file—it consisted of just a few words of white text printed on a dark background. The words were cut off so only their top half was visible, but it was still possible to make them out: “Interacting Galaxy System NGC 6745.” A Google search on the words revealed the entire picture—a March 1996 image produced from the Hubble Space Telescope. The striking image depicted a thick cluster of luminous blue and white stars enveloped in a gossamer veil of golden matter and gases—the aftermath, a caption revealed, of two galaxies “colliding” after a small galaxy of stars grazed the top of a larger one. Was it possible that Duqu was the mysterious “Stars” that struck Iran?
⁹
It seemed to Symantec and the CrySyS Lab that it was.

Symantec wanted to go public with the news of Duqu, but before the researchers could do so, they worked with Bencsáth to scrub the sample files and CrySyS report of anything that might identify the victim or the lab.
¹⁰
On October 18, the Symantec team published the anonymized
CrySyS report, as well as their own analysis of Duqu, identifying the victim only as “an organization based in Europe” and the CrySyS Lab as a “research lab with strong international connections.”
¹¹

Within an hour after the announcement broke, Bencsáth got the first hit to his personal website from someone searching for the hashes he’d posted weeks earlier. Although he’d deleted them from his site, Google cache had preserved his post, and online security forums were buzzing with questions about the deleted message. The next day he got more than four hundred hits to his domain as word spread quickly that this strange Hungarian site about canned fish was somehow connected to Duqu. There was no contact information for Bencsáth on the site, but it didn’t take long for someone to look up the registration for the site’s domain and find his name. From there it took only a simple Google search to connect him to the CrySyS Lab.

It was futile to hide the lab’s identity at this point, so on October 21, Bencsáth published a brief statement on the lab’s website, acknowledging their role in discovering Duqu, and urged everyone to stop speculating about the victim’s identity. It was too late for this, however. Word was already spreading that Duqu’s victim was a certificate authority in Europe after Péter Szor, the McAfee researcher who had received Bencsáth’s original report, wrote a blog post titled “The Day of the Golden Jackal” saying that Duqu was targeting certificate authorities and advising CAs to check their systems to make sure they hadn’t been infected. Since the CrySyS
Lab was in Hungary, people assumed the victim was too. And since there were only a few certificate authorities in that country—NetLock and Microsec e-Szigno being the primary ones—it didn’t take long for a few researchers to zero in on NetLock as the victim, though none of them went public with the news.
¹²

The implications were alarming. Certificate authorities are at the core of the trust relationship that makes the internet function. They issue the certificates that governments, financial institutions, and companies use to sign their software and websites, providing users with assurance that they are downloading a legitimate program made by Microsoft or entering their account login credentials at a legitimate website operated by Bank of America or Gmail. Attacking such an authority would allow the attackers to issue themselves legitimate certificates in the name of any company and use it to sign malware. It went a step beyond Stuxnet’s tactic of compromising individual companies like RealTek, JMicron, and C-Media. If Duqu was the work of the United States or Israel, it meant that a NATO country or ally had compromised a fundamental part of the trusted infrastructure that made transactions on the internet possible, all for the sake of advancing a covert campaign. If the United States was behind the attack, it also meant that while one branch of the government was touting the importance of securing critical infrastructure at home and developing acceptable norms of behavior for the internet, another was busy compromising critical systems belonging to a NATO ally that were important for the security of the internet, and establishing questionable norms of behavior that others would copy. But because the identity of the victim was never disclosed at the time Duqu was exposed, the public was denied an opportunity to debate these issues.

Despite the omission of this important detail, when the news of Duqu broke, it elicited a far different response from the security community than Stuxnet had. Research teams that had sat on the bleachers while Symantec
had worked for months to deconstruct Stuxnet’s payload quickly jumped on Duqu’s code to examine it—in part because it was less complex than Stuxnet and didn’t have a PLC payload, but also because they had seen what sitting on the sidelines got them. Stuxnet had signaled the dawn of a new era, and many researchers had chosen to sit it out.
¹³

One security firm that was determined not to be left behind this time was Kaspersky Lab in Russia. The Kaspersky researchers hadn’t sat idly when Stuxnet was discovered; they had put in extensive work to deconstruct the Windows portion of the attack and had been the first private researchers to discover additional zero days in Stuxnet and report them to Microsoft. But beyond its menagerie of exploits, they hadn’t considered Stuxnet a particularly interesting threat. The unfamiliar PLC code was a barrier to examining the payload, and ultimately they had determined there was little to be gained from deciphering it. So once they’d completed their analysis of the missile portion, they had moved on. But they weren’t going to make that mistake again.